On Wed, Jul 1, 2015 at 2:41 PM, Adrian Hope-Bailie <adrian@hopebailie.com> wrote: > I suggest "Prefer: Transport-Security" as that is effectively what the > client is asking for. > If `Vary` isn't an issue, then yes, something like this seems totally reasonable: https://github.com/w3c/webappsec/issues/216 has some earlier iterations that we threw away. Since we're painting, I'd spell it `Prefer: secure-transport`, but whatever. > WRT caching, it seems to me that a server that supports the upgrade will > do a redirect when it first receives this header and should simply use > Cache-Control : no-store in the redirect response and never use the Vary > header anyway. It's likely that in the upgrade scenario this flow will only > happen once per client and so the value of caching this step is low. > I defer to people who know more about the network stack than I, but yes. This seems like a reasonable thing for servers to do. Also, not sure why it's critical to drop a few bytes from the headers at > the expense of making this understandable? > If this is an advertisement that goes out on every navigational request; those bits get expensive when you multiply them by a bajillion users. Happily, magical header compression dust can be sprinkled on HTTP/2 connections, which removes all cost from header injection (all cost! really! mostly! kinda! not really. :( ). -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Wednesday, 1 July 2015 13:32:04 UTC